> On Fri, 1 Dec 1995, Justin McErlain wrote:
>
> > Hi all,
> >
> >
> > our domain 202.37.101 (mac.co.nz)
> > adjacent site 132.181.30.3 (cantva.canterbury.ac.nz)
>
> If I remember correctly, the "rule" of filters is:
>
> "That which isn't expressly granted is denied".
>
> Thus, you may want to put an ALLOW statement first, then DENY what you
> don't want them to do.
>
Assuming all you want to do is block certain PPP/SLIP users from
telnetting directly from their host to the destination in question (too
many gamers, eh?) this should work:
(relevant SLIP/PPP interface ifilter)
set filter foo 1 deny tcp 0.0.0.0/0 132.181.30.3/32 src eq 23
set filter foo 2 permit tcp 0.0.0.0/0 0.0.0.0/0
set filter foo 3 permit udp 0.0.0.0/0 0.0.0./0
set filter foo 4 permit icmp 0.0.0.0/0 0.0.0.0/0
You may have forgotten that there is an implied "deny all" rule
at the end of every filter set. The above is a "permit by default"
type of filter, which you may or may not want to use.
BTW, I have never tried to use domain names in filter rules,
but even if it works, it's a bad idea. Opens up another avenue for
attack by subverting DNS, and can't help performance either.
------------------------------------------------------------------------
David Carmean WB6YZM DC574 dave@west.net
System/Network Administrator, WestNet Communications, Inc.
PGP Key Fingerprint: CD 1C C1 15 3E E3 1D 41 ED C2 3E A8 D6 29 BD C4
------------------------------------------------------------------------